Merge remote-tracking branch 'upstream/master' into queryStuff

2026-05-04 21:25:44 +02:00 · 2020-07-02 16:08:05 +02:00
parent 2b0a091921 b5c8f2238b
commit 261821b32c
304 changed files with 16202 additions and 5458 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
@@ -1,4 +0,0 @@
-| normalizedPaths.js:208:38:208:63 | // OK - ...  anyway | Spurious alert |
-| tainted-string-steps.js:25:43:25:74 | // NOT  ... flagged | Missing alert |
-| tainted-string-steps.js:26:49:26:74 | // OK - ... flagged | Spurious alert |
-| tainted-string-steps.js:28:39:28:70 | // NOT  ... flagged | Missing alert |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql
@@ -1,32 +1,3 @@
 import javascript
 import semmle.javascript.security.dataflow.TaintedPath::TaintedPath
-
-class Assertion extends LineComment {
-  boolean shouldHaveAlert;
-
-  Assertion() {
-    if getText().matches("%NOT OK%")
-    then shouldHaveAlert = true
-    else (
-      getText().matches("%OK%") and shouldHaveAlert = false
-    )
-  }
-
-  predicate shouldHaveAlert() { shouldHaveAlert = true }
-
-  predicate hasAlert() {
-    exists(Configuration cfg, DataFlow::Node src, DataFlow::Node sink, Location loc |
-      cfg.hasFlow(src, sink) and
-      loc = sink.getAstNode().getLocation() and
-      loc.getFile() = getFile() and
-      loc.getEndLine() = getLocation().getEndLine()
-    )
-  }
-}
-
-from Assertion assertion, string message
-where
-  assertion.shouldHaveAlert() and not assertion.hasAlert() and message = "Missing alert"
-  or
-  not assertion.shouldHaveAlert() and assertion.hasAlert() and message = "Spurious alert"
-select assertion, message
+import testUtilities.ConsistencyChecking
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
@@ -14,40 +14,33 @@ var server = http.createServer(function(req, res) {
  // BAD: This could still read any file on the file system
  res.write(fs.readFileSync("/home/user/" + path));

-  // BAD: Insufficient sanitisation
  if (path.startsWith("/home/user/"))
-      res.write(fs.readFileSync(path));
+      res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation

-  // BAD: Insufficient sanitisation
  if (path.indexOf("secret") == -1)
-      res.write(fs.readFileSync(path));
+      res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation

-  // BAD: Insufficient sanitisation
  if (fs.existsSync(path))
-      res.write(fs.readFileSync(path));
+      res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation

-  // GOOD: Path is compared to white-list
  if (path === 'foo.txt')
-    res.write(fs.readFileSync(path));
+    res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list

-  // GOOD: Path is compared to white-list
  if (path === 'foo.txt' || path === 'bar.txt')
-    res.write(fs.readFileSync(path));
+    res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list

-  // BAD: Path is incompletely compared to white-list
  if (path === 'foo.txt' || path === 'bar.txt' || someOpaqueCondition())
-    res.write(fs.readFileSync(path));
+    res.write(fs.readFileSync(path)); // BAD: Path is incompletely compared to white-list

-  // GOOD: Path is sanitized
  path = sanitize(path);
-  res.write(fs.readFileSync(path));
+  res.write(fs.readFileSync(path)); // GOOD: Path is sanitized

  path = url.parse(req.url, true).query.path;
-  // BAD: taint is preserved
+  // GOOD: basename is safe
  res.write(fs.readFileSync(pathModule.basename(path)));
  // BAD: taint is preserved
  res.write(fs.readFileSync(pathModule.dirname(path)));
-  // BAD: taint is preserved
+  // GOOD: extname is safe
  res.write(fs.readFileSync(pathModule.extname(path)));
  // BAD: taint is preserved
  res.write(fs.readFileSync(pathModule.join(path)));
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
@@ -205,7 +205,7 @@ app.get('/join-regression', (req, res) => {
    fs.readFileSync(normalizedPath); // NOT OK

  if (normalizedPath.startsWith('/home/user/www') || normalizedPath.startsWith('/home/user/public'))
-    fs.readFileSync(normalizedPath); // OK - but flagged anyway
+    fs.readFileSync(normalizedPath); // OK - but flagged anyway [INCONSISTENCY]
  else
    fs.readFileSync(normalizedPath); // NOT OK
 });
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js
@@ -38,4 +38,6 @@ http.createServer(function(req, res) {
  var path = url.parse(req.url, true).query.path;

  util.promisify(fs.readFileSync)(path); // NOT OK
-});
+  require("bluebird").promisify(fs.readFileSync)(path); // NOT OK
+  require("bluebird").promisifyAll(fs).readFileSync(path); // NOT OK
+});
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js
@@ -7,12 +7,11 @@ var fs = require('fs'),

 var server = http.createServer(function(req, res) {
  let path = url.parse(req.url, true).query.path;
-  // BAD: taint is preserved
-  res.write(fs.readFileSync(['public', path].join('/')));
-  // BAD: taint is preserved
+  res.write(fs.readFileSync(['public', path].join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY]
+
  let parts = ['public', path];
  parts = parts.map(x => x.toLowerCase());
-  res.write(fs.readFileSync(parts.join('/')));
+  res.write(fs.readFileSync(parts.join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY]
 });

 server.listen();
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js
@@ -22,10 +22,10 @@ var server = http.createServer(function(req, res) {
 	fs.readFileSync(path.split('/')[i]); // NOT OK
 	fs.readFileSync(path.split(/\//)[i]); // NOT OK
 	fs.readFileSync(path.split("?")[0]); // NOT OK
-	fs.readFileSync(path.split(unknown)[i]); // NOT OK -- but not yet flagged
-	fs.readFileSync(path.split(unknown).whatever); // OK -- but still flagged
+	fs.readFileSync(path.split(unknown)[i]); // NOT OK -- but not yet flagged [INCONSISTENCY]
+	fs.readFileSync(path.split(unknown).whatever); // OK -- but still flagged [INCONSISTENCY]
 	fs.readFileSync(path.split(unknown)); // NOT OK
-	fs.readFileSync(path.split("?")[i]); // NOT OK -- but not yet flagged
+	fs.readFileSync(path.split("?")[i]); // NOT OK -- but not yet flagged [INCONSISTENCY]
 });

 server.listen();
--- a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
@@ -453,6 +453,23 @@ nodes
 | tst.js:414:19:414:31 | target.taint8 |
 | tst.js:415:18:415:30 | target.taint8 |
 | tst.js:415:18:415:30 | target.taint8 |
+| tst.js:422:7:422:46 | payload |
+| tst.js:422:17:422:31 | window.location |
+| tst.js:422:17:422:31 | window.location |
+| tst.js:422:17:422:46 | window. ... bstr(1) |
+| tst.js:423:18:423:24 | payload |
+| tst.js:423:18:423:24 | payload |
+| tst.js:425:7:425:55 | match |
+| tst.js:425:15:425:29 | window.location |
+| tst.js:425:15:425:29 | window.location |
+| tst.js:425:15:425:55 | window. ... (\\w+)/) |
+| tst.js:427:20:427:24 | match |
+| tst.js:427:20:427:27 | match[1] |
+| tst.js:427:20:427:27 | match[1] |
+| tst.js:430:18:430:32 | window.location |
+| tst.js:430:18:430:32 | window.location |
+| tst.js:430:18:430:51 | window. ... '#')[1] |
+| tst.js:430:18:430:51 | window. ... '#')[1] |
 | typeahead.js:20:13:20:45 | target |
 | typeahead.js:20:22:20:38 | document.location |
 | typeahead.js:20:22:20:38 | document.location |
@@ -882,6 +899,21 @@ edges
 | tst.js:414:19:414:31 | target.taint8 | tst.js:414:19:414:31 | target.taint8 |
 | tst.js:414:19:414:31 | target.taint8 | tst.js:415:18:415:30 | target.taint8 |
 | tst.js:414:19:414:31 | target.taint8 | tst.js:415:18:415:30 | target.taint8 |
+| tst.js:422:7:422:46 | payload | tst.js:423:18:423:24 | payload |
+| tst.js:422:7:422:46 | payload | tst.js:423:18:423:24 | payload |
+| tst.js:422:17:422:31 | window.location | tst.js:422:17:422:46 | window. ... bstr(1) |
+| tst.js:422:17:422:31 | window.location | tst.js:422:17:422:46 | window. ... bstr(1) |
+| tst.js:422:17:422:46 | window. ... bstr(1) | tst.js:422:7:422:46 | payload |
+| tst.js:425:7:425:55 | match | tst.js:427:20:427:24 | match |
+| tst.js:425:15:425:29 | window.location | tst.js:425:15:425:55 | window. ... (\\w+)/) |
+| tst.js:425:15:425:29 | window.location | tst.js:425:15:425:55 | window. ... (\\w+)/) |
+| tst.js:425:15:425:55 | window. ... (\\w+)/) | tst.js:425:7:425:55 | match |
+| tst.js:427:20:427:24 | match | tst.js:427:20:427:27 | match[1] |
+| tst.js:427:20:427:24 | match | tst.js:427:20:427:27 | match[1] |
+| tst.js:430:18:430:32 | window.location | tst.js:430:18:430:51 | window. ... '#')[1] |
+| tst.js:430:18:430:32 | window.location | tst.js:430:18:430:51 | window. ... '#')[1] |
+| tst.js:430:18:430:32 | window.location | tst.js:430:18:430:51 | window. ... '#')[1] |
+| tst.js:430:18:430:32 | window.location | tst.js:430:18:430:51 | window. ... '#')[1] |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
 | typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
 | typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
@@ -1009,6 +1041,9 @@ edges
 | tst.js:403:18:403:30 | target.taint5 | tst.js:387:16:387:32 | document.location | tst.js:403:18:403:30 | target.taint5 | Cross-site scripting vulnerability due to $@. | tst.js:387:16:387:32 | document.location | user-provided value |
 | tst.js:412:18:412:30 | target.taint7 | tst.js:387:16:387:32 | document.location | tst.js:412:18:412:30 | target.taint7 | Cross-site scripting vulnerability due to $@. | tst.js:387:16:387:32 | document.location | user-provided value |
 | tst.js:415:18:415:30 | target.taint8 | tst.js:387:16:387:32 | document.location | tst.js:415:18:415:30 | target.taint8 | Cross-site scripting vulnerability due to $@. | tst.js:387:16:387:32 | document.location | user-provided value |
+| tst.js:423:18:423:24 | payload | tst.js:422:17:422:31 | window.location | tst.js:423:18:423:24 | payload | Cross-site scripting vulnerability due to $@. | tst.js:422:17:422:31 | window.location | user-provided value |
+| tst.js:427:20:427:27 | match[1] | tst.js:425:15:425:29 | window.location | tst.js:427:20:427:27 | match[1] | Cross-site scripting vulnerability due to $@. | tst.js:425:15:425:29 | window.location | user-provided value |
+| tst.js:430:18:430:51 | window. ... '#')[1] | tst.js:430:18:430:32 | window.location | tst.js:430:18:430:51 | window. ... '#')[1] | Cross-site scripting vulnerability due to $@. | tst.js:430:18:430:32 | window.location | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.location | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected
@@ -453,6 +453,23 @@ nodes
 | tst.js:414:19:414:31 | target.taint8 |
 | tst.js:415:18:415:30 | target.taint8 |
 | tst.js:415:18:415:30 | target.taint8 |
+| tst.js:422:7:422:46 | payload |
+| tst.js:422:17:422:31 | window.location |
+| tst.js:422:17:422:31 | window.location |
+| tst.js:422:17:422:46 | window. ... bstr(1) |
+| tst.js:423:18:423:24 | payload |
+| tst.js:423:18:423:24 | payload |
+| tst.js:425:7:425:55 | match |
+| tst.js:425:15:425:29 | window.location |
+| tst.js:425:15:425:29 | window.location |
+| tst.js:425:15:425:55 | window. ... (\\w+)/) |
+| tst.js:427:20:427:24 | match |
+| tst.js:427:20:427:27 | match[1] |
+| tst.js:427:20:427:27 | match[1] |
+| tst.js:430:18:430:32 | window.location |
+| tst.js:430:18:430:32 | window.location |
+| tst.js:430:18:430:51 | window. ... '#')[1] |
+| tst.js:430:18:430:51 | window. ... '#')[1] |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:10:16:10:18 | loc |
@@ -886,6 +903,21 @@ edges
 | tst.js:414:19:414:31 | target.taint8 | tst.js:414:19:414:31 | target.taint8 |
 | tst.js:414:19:414:31 | target.taint8 | tst.js:415:18:415:30 | target.taint8 |
 | tst.js:414:19:414:31 | target.taint8 | tst.js:415:18:415:30 | target.taint8 |
+| tst.js:422:7:422:46 | payload | tst.js:423:18:423:24 | payload |
+| tst.js:422:7:422:46 | payload | tst.js:423:18:423:24 | payload |
+| tst.js:422:17:422:31 | window.location | tst.js:422:17:422:46 | window. ... bstr(1) |
+| tst.js:422:17:422:31 | window.location | tst.js:422:17:422:46 | window. ... bstr(1) |
+| tst.js:422:17:422:46 | window. ... bstr(1) | tst.js:422:7:422:46 | payload |
+| tst.js:425:7:425:55 | match | tst.js:427:20:427:24 | match |
+| tst.js:425:15:425:29 | window.location | tst.js:425:15:425:55 | window. ... (\\w+)/) |
+| tst.js:425:15:425:29 | window.location | tst.js:425:15:425:55 | window. ... (\\w+)/) |
+| tst.js:425:15:425:55 | window. ... (\\w+)/) | tst.js:425:7:425:55 | match |
+| tst.js:427:20:427:24 | match | tst.js:427:20:427:27 | match[1] |
+| tst.js:427:20:427:24 | match | tst.js:427:20:427:27 | match[1] |
+| tst.js:430:18:430:32 | window.location | tst.js:430:18:430:51 | window. ... '#')[1] |
+| tst.js:430:18:430:32 | window.location | tst.js:430:18:430:51 | window. ... '#')[1] |
+| tst.js:430:18:430:32 | window.location | tst.js:430:18:430:51 | window. ... '#')[1] |
+| tst.js:430:18:430:32 | window.location | tst.js:430:18:430:51 | window. ... '#')[1] |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
--- a/javascript/ql/test/query-tests/Security/CWE-079/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/tst.js
@@ -418,3 +418,14 @@ function test() {
  $('myId').html(target.taint9); // OK
 }

+function hash2() {
+  var payload = window.location.hash.substr(1);
+  document.write(payload); // NOT OK
+
+  let match = window.location.hash.match(/hello (\w+)/);
+  if (match) {
+    document.write(match[1]); // NOT OK
+  }
+
+  document.write(window.location.hash.split('#')[1]); // NOT OK
+}
--- a/javascript/ql/test/query-tests/filters/ClassifyFiles/MyComponent.vue
+++ b/javascript/ql/test/query-tests/filters/ClassifyFiles/MyComponent.vue
@@ -0,0 +1,6 @@
+<template>
+  <span>hey</span>
+</template>
+<script>
+export default { data: 42 }
+</script>